Making cyber-crime pay: investing in cyber security

28 Jun 2018

4 min read

The increasing digitisation of our world has created greater convenience and access to information than at any other time in history, but it has also created greater challenges for privacy and security.

Cyber-security is also a growing concern, as the recent focus on how social media companies have accessed user data demonstrates, and one which the cyber-security industry is emerging to service.

Email security and hackers

In 2017, the financial controller of a small Australian company received an email from the company’s CEO, who was travelling at the time, requesting that the financial controller make a payment of more than US$500,000. The financial controller then received a second email, from the company’s chief operating officer (COO), approving the CEO’s request for payment, and an email trail between the COO and the CFO.

The financial controller paid the money – in two payments, one for more than US$200,000 and one for almost US$300,000 – to bank accounts in overseas jurisdictions.

Straight into the lap of a cyber-criminal – the company had been hacked, and the emails from the CEO and COO were fraudulent.

That example, from the Australian Cyber Security Centre’s (ACSC’s) 2017 Threat Report1, could be any company, any time. Cyber-risk is ever-present. The Telstra Security Report 20182 report said 60% of Australian respondents polled said their business had been interrupted due to a security breach in the last year: 11% of Australian enterprises reported
incidents on a weekly basis in 2017, with 25% reporting incidents on a monthly basis.

The Telstra Security Report says that email-based attacks are among the highest security risks for IT departments in Australia. Nearly a quarter of respondents whose business has been interrupted due to a security breach in the past year indicated that their business had experienced a business email compromise (BEC) or “phishing” (attempting to obtain sensitive information by posing as a trustworthy entity) attack at least once a month.

Ransoming data

Increasingly, cyber-attacks represent very deliberate targeting of businesses by cyber-criminals to hold them hostage by demanding ransom in return for precious company data and files. The Telstra Security Report 2018 says the Australian government conservatively estimates the cost of “ransomware” to the Australian economy to be approximately $1 billion a year.

Distributed denial of service (DDoS) attacks, in which a system is flooded with superfluous traffic to disrupt its intended function, are also a major problem. Australians should be well aware of this problem after the country’s National Census Day in 2016 was almost sabotaged by four distributed DDoS, attacks, and the Australian Bureau of Statistics (ABS) was forced to take the Census site down, to protect the integrity of the data.

As long as we use computers and connected devices, in fact, cyber-risk is more of a cyber-certainty. Globally, the problem is enormous: the Telstra Security Report 2018 cited estimates that cybercrime damages will cost the world a staggering US$6 trillion annually by 2021, doubling from US$3 trillion in 2015.

Aware of the cost of the threat, governments across the globe are taking action to manage cyber security, with the Australian government announcing a Cyber Security Strategy with 33 initiatives in 2017, such as the creation of a Joint Cyber Security Centre in Brisbane and a Cyber Security Information Sharing Portal3.

Investing in security

For investors, there are plenty of ways to invest in cyber-security through companies that supply products and services to the sector: some of these are highly specialised, such as firewall provider Palo Alto Networks (traded on the New York Stock Exchange); the Nasdaq-listed Cyber Ark, which protects company networks from internal threats; and its fellow Nasdaq stock Check Point Software, which provides firewalls and other security solutions to a wide range of businesses and organisations; as well as bigger players such as Nasdaq-listed Symantec, which is prominent in cloud security, and networking giant Cisco itself, which is a New York Stock Exchange stock.

The Australian Securities Exchange (ASX) has a range of very small businesses involved in different areas of cyber-security, such as Senetas Corporation, Prophecy International, Covata, Tesserent, Dropsuite and Zyber, but some of these are not profitable, and still in start-up phase, making it difficult to assess their investment potential.

The Australian contingent certainly does some interesting things. For example, Prophecy International’s SNARE (System Intrusion Analysis and Reporting Environment) platform, which finds, filters, forwards, stores, analyses, reports and alerts on computer events, to detect intrusion and malevolent behaviour, is installed in more than 100,000 sites worldwide, in the finance, defence, retail, utilities, hospitals, transport, casinos, and universities sectors, and all tiers of government. Among the prominent customers are NASA, the US Army, Northrop Grumman, Verizon, the US Department of Energy, Raytheon, Rolls-Royce, Fujitsu, and Vodaphone.

Senetas’ high-speed data encryption hardware protects network transmitted data in more than 30 countries, and is used by customers ranging from government organisations with highly sensitive information, for example, the US defence forces, to commercial and industrial organisations, banks and global financial transactions systems providers, cloud service providers and small businesses. The company’s encryptors are certified by all four leading international certification authorities – the US government’s FIPS (Federal Information Processing Standards) certification, Common Criteria (required by Australian government and defence organisations), Communications-Electronics Security Group (CAPS) for its Ethernet IG product in the UK (the first up-to-1GB encryptor for government data networks ever certified by CAPS) and the NATO (North Atlantic Treaty Organisation) information security product certification, which covers the 28 NATO member states.

Investors who would rather hold a diversified exposure to the cyber-security sector – or who don’t wish to try to choose the best companies to invest in – could consider accessing managed funds, which may include these companies depending on their investment universe. Another option might be specialised exchange traded funds (ETFs) such as the BetaShares Global Cybersecurity ETF, which trades on the ASX under the stock code HACK and tracks the performance of the Nasdaq Consumer Technology Association (CTA) Cybersecurity Index. This holds US companies such as Symantec, CheckPoint and Cisco.

The information shown on this site is general information only, it does not constitute any recommendation or advice; it has been prepared without taking into account your personal objectives, financial situation or needs and you should consider its appropriateness with regard to these factors before acting on it. Any taxation position described is a general statement and should only be used as a guide. It does not constitute tax advice and is based on current tax laws and our interpretation. Your individual situation may differ and you should seek independent professional tax advice. You should also consider obtaining personalised advice from a professional financial adviser before making any financial decisions in relation to the matters discussed hereto.